I changed my props.conf a while ago so that SHOULD_LINEMERGE=false , and since then, I've gotten my desired result—one log line for one event.
However, whenever I output my search to a CSV file, it still contains the events that were indexed prior to me changing the props.conf . These events still have multiple log lines under a single timestamp.
Is there any way to tell Splunk to retroactively break up those indexed events into their own separate events? Or at least output to a CSV that has one event = one line?
... View more